Tech Tips and Tricks & Advice – written in plain English.

More Internet safety–Use your router for access control

A reader comment (thanks Mike) reminded me of a point I intended to make — most home routers/wireless routers have the ability to add another layer of protection for your kid’s Internet safety. Today I will show just how to take advantage of the features built into these devices. A big advantage is the router’s blocking (typically) won’t be undone by a savvy kid. Today’s free link was also inspired by a reader comment. Keep those useful comments coming folks, they often benefit everyone.

Tip of the day:Use your router’s security features to limit your child’s access to the Web. I wrote a three-part series titled “Steps you can take to keep your kids safe on the Internet” and this post should be considered part 4. In part 1, I showed you how to create a Limited User account and lock down Internet Explorer. In part 2, I discussed monitoring and controlling your child’s web-surfing with Parental Control programs. And in part 3 I told you how to monitor chat, and decipher the “code” language used there. If you missed any of these, click on the blue links to view them.

For the purposes of demonstration, I’m going to demonstrate on arguably the most common/popular wireless router sold to date — the Linksys WRT54G — but I want you to understand that these features can be found on most, if not all, makes and models and accessed in similar ways. If you have already gone in and changed the address range and/or router name and password, substitute your settings … I will show the Linksys defaults.

Step 1) Access your router’s control panel. Open your browser and type in http://192.168.1.1 and you will be asked for a name and password. Leave the name blank and type “admin” (no quotes) in the password box. You will now see the Linksys control panel’s Setup page, which is where you make general connection (to your ISP) changes.
We are not going to make any changes here on the Setup tab (I am just showing you what to expect), we’re going to use the Administration tab and the Access Restriction tabs.

Step 2) To prevent our tech-savvy kid from undoing the restrictions we’re going to put in place a new password. Click on “Administration” in the upper black bar. The top input boxes are for our new password. Think up a complex password your child won’t be able to guess, like “Kepe0uThek1dz”, (and write it down, and keep it someplace they won’t snoop) and enter it, and “confirm” it. Now scroll down and click on “Save Settings”.
The control panel will disappear while the router absorbs these changes and then a screen will tell you your changes have been saved. Click “to continue” and the control panel will reappear.

Step 3) Now we’re going to put some restrictions in place — click on “Access Restrictions” in the upper black bar. On this page we are going to set up an ACL which Linksys refers to as a “policy”. You can establish more than one policy if you desire, but for our purposes one is enough. In the screenshot below, I have told the router that there’s to be no Internet access from midnight to 6am on any computer, but you can assign your child’s machine a fixed IP address and by clicking the Edit List of PCs button, apply these restrictions only to your child’s machine … if they have their own, that is. [update: you can also use the MAC address. For my article on how to find and use it, click here.]
As you can see, you can ‘tweak’ the time restrictions on a day-by-day basis, so schoolnights can have a different shutoff time than weekends, say.

Now scroll down and you will see where we can do some more specific blocking.
Here I have specifically denied access to My Space, and if I were really doing this I would also add the other popular “social networking” sites (like Facebook). Please note that I used wildcards (“*”) in place of “www” and “.com” — this is done to eliminate/block all the pages of the site “MySpace”. You are not limited to four URLs as the boxes might indicate. You can put as many into one box as you’d like … just seperate each URL with a semicolon.

I have also started a “keyword” list to be blocked, which will block any websites that contain these words. This is far from the list you would want to use, I suspect — you would probably want to include “wild parties”, “wild sex”, “totally nude”, “wild girls”, “boys gone wild”, and you may want to include “gun”, “guns”, “shooting”, and such. This is up to you to decide and configure … just seperate each keyword (or phrase) by commas.

Step 4) Click Save Settings and exit the control panel. And that’s it. Congratulations: you’ve added another layer of security, and shown your kid you just may know enough “tech” to earn a little respect.

UPDATE 8/26:
A reader commented that he has done the above steps and could still access My Space. He naturally wondered why. The first thing to verify is that you have verified that your new policy is enabled.
It is not necessary to give your access policy a name, but it may help you to do so — I named mine “Restrictions” to demonstrate.

The second step may not be required, but if you can still visit the sites you’re trying to block, you need to tell the router which PC’s to apply this policy to. Click on the “Edit List of PCs” button.
Here you can “apply” the policy to a specific machine by using the MAC address or fixed IP, or to all attached machines by setting a range of IP’s. To ensure coverage of every machine, enter the range 0-254, as shown. Now Save Settings, and you’re set.

Today’s free link: A very thorough resource for parents concerned about Internet safety for their kids can be found at the all-volunteer WiredSafety.org. From site: “All-inclusive, free resource focusing on Internet safety, help and education for Internet users of all ages; providing information and solutions to online…”

Thank you Hal,
It is typically true that existing connections will not be terminated. ACL’s are typically applied as the connection is established. However, some routers apply restrictions to each packet, which will effectively terminate sessions.
The reason parents should be aware of this abilty is so that the child cannot arise, after being put to bed, and get into late-night mischief.
I am not suggesting that parents let the router do all the work — a savvy user can easily undo its settings — but to be aware of this “layer” of defense.

Sandlapper,
I have to make a couple of assumptions, such as that you’re using a WRT 54G…
It is possible that you have simply omitted a step. Please scroll up to the UPDATE portion of the post, where I have published the answer.

Your help is greatly appreciated. Thanks to your post, I have figured out how to restrict access to porn and other bad stuff. However, how do I restrict access to specific sites (like facebook) DURING SPECIFIC TIMES ONLY (like, 7-9pm, when they should be doing homework!) but she can access it at other times. THANKS!!

Steve–
Hmmm.. that’s a very good question, (maybe the best question I’ve had all week) and I am not going to be able to give you a step-by-step (I don’t know your router, for one thing) but Ill try to point you in the right direction.
One option is iffy, because I’m not sure if the for-pay software solutions allow you to set time controls on a per-URL basis, but you might look into the likes of NetNanny.
An option that has a better chance is to set a second policy (named.. “work time” or something) and set it to ‘enable’ (aka “run”) itself from 7-9, and block the URL’s. The two will work together during that time, and be more restrictive (the WRT 54G allows up to 10 policies to be set. Your make/model may vary.)
If the router doesn’t allow two different policies to run at the same time, you could use another Parental Control software solution to provide the ‘tougher’ restrictions.. Use the router for the “always on” restrictions (xxx – rated, ie) and the software for the ‘work time’ restrictions.

But .. people (and, yes, kids too) are pretty clever, and there are ways around access control lists. Perhaps a logging tool, or Parental Monitoring (essentially spyware) program might be appropriate (or.. the belief that there’s one installed..). Something that keeps track of (and timestamps) your child’s activity, and gives you indisputable evidence when rules are broken.

Wow….the blogs are full of people trying to get keyword filtering to work….with no answers. Although this page seems clear enough…I could still not get keyword filtering to work. Shame on Cisco for not knowing what the customers want and having detailed step by step on their site.

Thanks techpaul for all the useful information. I’m trying to set up a network for my office that will restrict web use to only 2 or 3 websites that my employees will need to use. Are there any routers that will allow you to restrict ALL except for a few websites?

Tony,
Any router that allows ACL’s (which to the best of my knowledge is all of them) will allow you to “blacklist” (deny) and “whitelist” (allow) .. the trick then becomes crafting the list.
(Believe it or not, your router manufacturer’s tech support (not the 1st tier, of course) can be quite helpful in this.)

One problem is that children don’t seem to have any problem posting private and personal information about where they live, what school they go to or even putting videos or pictures of themselves online. A lot of kids will openly get into conversations with strangers they have met online. Then another statistic says that 1 in 5 children say their parents have not discussed anything with them about staying safe online. Every person needs to really understand how crucial parental controls are for kids on the internet.

Great using a router/firewall as an additional layer of protection for kids on the Internet. Important to have the initial Admin password changed & protected to stop the tek savvy kids making changes.Thanks for sharing.

Kid Internet Safety,
I take Internet safety very seriously. And I take children’s safety very seriously. Since children get on the intertubes…

I advocate parents take proactive roles. And I support Parental Monitoring.. even though some might call it “spying”.
The Internet is not Disneyland. No one – really – is working to keep it clean, safe, and well-lighted. (Those that are [aka “whitehats”] have no financing and no jurisdiction.) But criminals are using it as their tool of choice.

Many thanks for this useful info techPaul; I’ve set up my WAG200G and can can block sites as described, however the http:// is removed from the url whensaving so ends up for example as twitter.com rather than the url http://twitter.com. That’s no problem as it still works but I can’t get it to block https://twitter.com (defaults to http) and if I try using wildcards as per your example it returns a “Invalid URL” – any thoughts? I’ve not upgraded firmware as there is no mention of increased facilities for this in later versions.

I just want to add that on the WRT54G, under wireless, advanced settings, and with DD-WRT firmware installed, you can choose times (in 1 hour blocks) that the wireless radio itself is on. I have spent many hours trying to use the parental controls or the internet access policy and have found it lacking.

Here’s how I finally eliminated the problems.

#1 I installed a second router for the kids wireless access. This router in wired into the main router, connected to one of the 4 LAN ports on the main router and to the WAN (Internet) port of the second router. The WAN address is set to DHCP automatic while the router itself is 192.168.2.1 whereas the main router is as default 192.168.1.1

#2 I blocked their access to the main router by changing the wireless SSID and by not broadcasting it. I also used the old SSID on the new router with the exact same security settings so for the kids, it was seemless.

#3 I installed DD-WRT firmware on my router. Although this is somewhat advanced, you can just buy one that’s already done used on eBay for around $30-40, or you can buy a Buffalo Technology brand router. You are limited to creating 5 rules on the Linksys but have 10 with DD-WRT.

#4 I made a list of the computers’ MAC addresses and using DHCP reservations in the router (available on Linksys or DD-WRT firmware) set an address for each computer and device (iPods, PS3, Obox, Laptops etc). this made things so much simpler, MAC addresses are impossible to remember, a range of IP’s proved much easier.

#5 I made a set of rules to deny access at certain times, 1 from 9:00PM-Midnight school nights (Sun-Thur), 1 from Midnight-7AM (Mon-Fri), and 1 from 8:30AM-9:00AM (Mon-Fri)**This was so they were off the net and not missing the bus).

#6 I set the wireless radio itself to only operate from 7AM-Midnight which insures they are off the internet, with some games they played, if they had been connected, it allowed them to stay connected as someone noted above. I’m not certain if this setting is available with the standard Linksys firmware or not because I no longer use the Linksys firmware so I can’t easily check.

On holidays, the kids obviously want to stay online later, I solved this problem by enabling the guest access on my main router for those days or anytime I want to give them extra access. Not all routers have guest access but it’s almost as easy to just disable the rule that is limiting them, you just have to remember to turn it back off when you’re back on the regular schedule. The kids WON’T remind you!

John Mitchell,
I know you can blacklist (block) websites but, I have not looked that deep into Linksys router config’s since, basically, when Wireless N came out (i.e. all the models I own, and support, are older) so I’d have to look up “DNS lookup logging” or “domains accessed logging” to answer that specifically. (If you set your DNS server to OpenDNS, they do free DNS logging.) You can look for a “Logs” tab in your (router’s) Control Panel. Generally speaking, I doubt your router creates logs that you could easily see where they visited.

But, if your child has erased their browser’s History, my (technician’s) advice is to install parental control/monitoring software; such as the excellent and free K9 Web Protection or Norton’s Family Protection services (Norton Family is free).

• About Tech Paul

I am a (semi)-Retired CompTIA Certified computer & network technician, and the owner of Aplus Computer Aid. I have been building/fixing networks and computers since Windows 95 was the new kid on the block.

I have regularly posted how-to’s and tricks & tips and general computing advice here since 2007. (Use the Search tool to find answers.) Sometimes I answer (your) specific questions in an article if I believed the answer is generally helpful to “everyone”. All the writing you see is my own, typos and all. There is an implied “IMHO” in what you see here.
You can write to me using this form.

Note: You are responsible for using this blog and its content. I am in no way liable for any losses caused by user error, viruses and/or other malware, hardware or software failure, or any other conceivable reason.

Previous Tips & Answers (aka Search This Site)

A Winner’s Blueprint for Achievement

BELIEVE while others are doubting. PLAN while others are playing. STUDY while others are sleeping. DECIDE while others are delaying. PREPARE while others are daydreaming. BEGIN while others are procrastinating. WORK while others are wishing. SAVE while others are wasting. LISTEN while others are talking. SMILE while others are frowning. COMMEND while others are criticizing. PERSIST while others are quitting.